new(docker): initial work towards new docker images.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
2025-09-02 15:15:17 +00:00 · 2024-05-20 14:21:38 +02:00
parent e4107c05a4
commit 1307061554
9 changed files with 110 additions and 272 deletions
--- a/docker/driver-loader-legacy/Dockerfile
+++ b/docker/driver-loader-legacy/Dockerfile
@@ -124,6 +124,9 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 # Install latest falcoctl
 RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/driver-loader-legacy/docker-entrypoint.sh
+++ b/docker/driver-loader-legacy/docker-entrypoint.sh
@@ -124,3 +124,5 @@ else
 fi
 /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
 exec /usr/bin/falco
--- a/docker/driver-loader/Dockerfile
+++ b/docker/driver-loader/Dockerfile
@@ -1,5 +1,5 @@
 ARG FALCO_IMAGE_TAG=latest
-FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}
+FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
@@ -9,6 +9,42 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bc \
 	bison \
 	ca-certificates \
 	clang \
 	curl \
 	dkms \
 	dwarves \
 	flex \
 	gcc \
 	gcc-11 \
 	gnupg2 \
 	jq \
 	libc6-dev \
 	libelf-dev \
 	libssl-dev \
 	llvm \
 	make \
 	netcat-openbsd \
 	patchelf \
 	xz-utils \
 	zstd \
 	&& rm -rf /var/lib/apt/lists/*
 # Install latest falcoctl
 RUN curl -L -o falcoct.tar.gz $(curl -s "https://api.github.com/repos/falcosecurity/falcoctl/releases/latest" | jq -r '.assets[] | select(.name|test(".linux_$TARGETARCH.tar.gz")) | .browser_download_url') && tar -xvf falcoctl.tar.gz && mv falcoctl /usr/bin
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
--- a/docker/driver-loader/docker-entrypoint.sh
+++ b/docker/driver-loader/docker-entrypoint.sh
@@ -136,3 +136,5 @@ else
 fi
 /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS" $extra_args
 exec /usr/bin/falco
--- a/docker/falco-debian/Dockerfile
+++ b/docker/falco-debian/Dockerfile
@@ -0,0 +1,34 @@
 FROM debian:12-slim
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian"
 LABEL usage="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=deb
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV HOST_ROOT /host
 ENV HOME /root
 RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 ca-certificates \
    && apt clean -y && rm -rf /var/lib/apt/lists/*
 WORKDIR /
 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 # Falcoctl is not included here.
 RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
 RUN sed -e -i 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml
 CMD ["/usr/bin/falco"]
--- a/docker/falco/Dockerfile
+++ b/docker/falco/Dockerfile
@@ -1,67 +1,43 @@
-FROM debian:bookworm
+FROM cgr.dev/chainguard/wolfi-base as builder
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 RUN apk update && apk add curl ca-certificates jq libelf
 WORKDIR /
 RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
    curl -L -o falco.tar.gz \
    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
    tar -xvf falco.tar.gz && \
    rm -f falco.tar.gz && \
    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
    rm -rf /falco/usr/src/falco-*
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 # Falcoctl is not included here.
 RUN rm -rf /falco/usr/bin/falcoctl /falco/etc/falcoctl/
 FROM cgr.dev/chainguard/wolfi-base
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
-LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc --name NAME IMAGE"
+LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
-ARG TARGETARCH
+RUN apk update && apk add curl ca-certificates jq libelf
 ARG FALCO_VERSION=latest
 ARG VERSION_BUCKET=deb
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV HOST_ROOT /host
 ENV HOME /root
-RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+USER root
-
+COPY --from=builder /falco /
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bc \
 	bison \
 	ca-certificates \
 	clang \
 	curl \
 	dkms \
 	dwarves \
 	flex \
 	gcc \
 	gcc-11 \
 	gnupg2 \
 	jq \
 	libc6-dev \
 	libelf-dev \
 	libssl-dev \
 	llvm \
 	make \
 	netcat-openbsd \
 	patchelf \
 	xz-utils \
 	zstd \
 	&& rm -rf /var/lib/apt/lists/*
 RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& echo "deb https://download.falco.org/packages/${VERSION_BUCKET} stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list \
 	&& apt-get update -y \
 	&& if [ "$FALCO_VERSION" = "latest" ]; then FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco; else FALCO_DRIVER_CHOICE=none apt-get install -y --no-install-recommends falco=${FALCO_VERSION}; fi \
 	&& apt-get clean \
 	&& rm -rf /var/lib/apt/lists/*
 # Change the falco config within the container to enable ISO 8601
 # output.
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /etc/falco/falco.yaml > /etc/falco/falco.yaml.new \
 	&& mv /etc/falco/falco.yaml.new /etc/falco/falco.yaml
 # Some base images have an empty /lib/modules by default
 # If it's not empty, docker build will fail instead of
 # silently overwriting the existing directory
 RUN rm -df /lib/modules \
 	&& ln -s $HOST_ROOT/lib/modules /lib/modules
 COPY ./docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/usr/bin/falco"]
--- a/docker/falco/docker-entrypoint.sh
+++ b/docker/falco/docker-entrypoint.sh
@@ -1,136 +0,0 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 print_usage() {
 	echo ""
 	echo "Usage:"
 	echo "  docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro -e 'FALCO_DRIVER_LOADER_OPTIONS=[driver] [options]' falcosecurity/falco:latest"
 	echo ""
 	echo "Available FALCO_DRIVER_LOADER_OPTIONS drivers:"
 	echo "  auto	       leverage automatic driver selection logic (default)"
 	echo "  modern_ebpf    modern eBPF CORE probe"
 	echo "  kmod           kernel module"
 	echo "  ebpf           eBPF probe"
 	echo ""
 	echo "FALCO_DRIVER_LOADER_OPTIONS options:"
 	echo "  --help           show this help message"
 	echo "  --clean          try to remove an already present driver installation"
 	echo "  --compile        try to compile the driver locally (default true)"
 	echo "  --download       try to download a prebuilt driver (default true)"
 	echo "  --http-insecure	 enable insecure downloads"
 	echo "  --print-env      skip execution and print env variables for other tools to consume"
 	echo ""
 	echo "Environment variables:"
 	echo "  FALCOCTL_DRIVER_REPOS         specify different URL(s) where to look for prebuilt Falco drivers (comma separated)"
 	echo "  FALCOCTL_DRIVER_NAME          specify a different name for the driver"
 	echo "  FALCOCTL_DRIVER_HTTP_HEADERS  specify comma separated list of http headers for driver download (e.g. 'x-emc-namespace: default,Proxy-Authenticate: Basic')"
 	echo ""
 }
 # Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
    echo "* Setting up /usr/src links from host"
    for i in "$HOST_ROOT/usr/src"/*
    do
        base=$(basename "$i")
        ln -s "$i" "/usr/src/$base"
    done
    # convert the optional space-separated env variable FALCO_DRIVER_LOADER_OPTIONS to array, prevent 
    # shell expansion and use it as argument list for falcoctl
    read -a falco_driver_loader_option_arr <<< $FALCO_DRIVER_LOADER_OPTIONS
    ENABLE_COMPILE="false"
    ENABLE_DOWNLOAD="false"
    HTTP_INSECURE="false"
    driver=
    has_opts=
    for opt in "${falco_driver_loader_option_arr[@]}"
    do
        case "$opt" in
            auto|kmod|ebpf|modern_ebpf)
                if [ -n "$driver" ]; then
                    >&2 echo "Only one driver per invocation"
                    print_usage
                    exit 1
                else
                    driver=$opt
                fi
                ;;
            -h|--help)
                print_usage
                exit 0
                ;;    
            --clean)
                /usr/bin/falcoctl driver cleanup
                exit 0
                ;;
            --compile)
                ENABLE_COMPILE="true"
                has_opts="true"
                ;;
            --download)
                ENABLE_DOWNLOAD="true"
                has_opts="true"
                ;;
            --http-insecure)
                HTTP_INSECURE="true"
                ;;
            --print-env)
                /usr/bin/falcoctl driver printenv
                exit 0
                ;;
            --*)
                >&2 echo "Unknown option: $opt"
                print_usage
                exit 1
                ;;
            *)
                >&2 echo "Unknown driver: $opt"
                print_usage
                exit 1
                ;;
        esac
    done
    # No opts passed, enable both compile and download
    if [ -z "$has_opts" ]; then
        ENABLE_COMPILE="true"
        ENABLE_DOWNLOAD="true"
    fi
    # Default value: auto
    if [ -z "$driver" ]; then
      driver="auto"
    fi
    if [ "$driver" != "auto" ]; then
      /usr/bin/falcoctl driver config --type $driver
    else
      # Needed because we need to configure Falco to start with correct driver
      /usr/bin/falcoctl driver config --type modern_ebpf --type kmod --type ebpf
    fi
    /usr/bin/falcoctl driver install --compile=$ENABLE_COMPILE --download=$ENABLE_DOWNLOAD --http-insecure=$HTTP_INSECURE --http-headers="$FALCOCTL_DRIVER_HTTP_HEADERS"
 fi
 exec "$@"
--- a/docker/no-driver/Dockerfile
+++ b/docker/no-driver/Dockerfile
@@ -1,39 +0,0 @@
 FROM debian:12 as builder
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 RUN apt-get -y update && apt-get -y install gridsite-clients curl ca-certificates
 WORKDIR /
 RUN curl -L -o falco.tar.gz \
    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-$(urlencode ${FALCO_VERSION})-$(uname -m).tar.gz && \
    tar -xvf falco.tar.gz && \
    rm -f falco.tar.gz && \
    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
    rm -rf /falco/usr/src/falco-*
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 FROM debian:12-slim
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 RUN apt-get -y update && apt-get -y install ca-certificates curl jq libelf1 \
    && apt clean -y && rm -rf /var/lib/apt/lists/*
 ENV HOST_ROOT /host
 ENV HOME /root
 COPY --from=builder /falco /
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]
--- a/docker/no-driver/Dockerfile.distroless
+++ b/docker/no-driver/Dockerfile.distroless
@@ -1,40 +0,0 @@
 FROM cgr.dev/chainguard/wolfi-base as builder
 ARG FALCO_VERSION
 ARG VERSION_BUCKET=bin
 ENV FALCO_VERSION=${FALCO_VERSION}
 ENV VERSION_BUCKET=${VERSION_BUCKET}
 RUN apk update && apk add build-base gcc curl ca-certificates jq elfutils
 WORKDIR /
 RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
    curl -L -o falco.tar.gz \
    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
    tar -xvf falco.tar.gz && \
    rm -f falco.tar.gz && \
    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
    rm -rf /falco/usr/src/falco-*
 RUN sed -e 's/time_format_iso_8601: false/time_format_iso_8601: true/' < /falco/etc/falco/falco.yaml > /falco/etc/falco/falco.yaml.new \
    && mv /falco/etc/falco/falco.yaml.new /falco/etc/falco/falco.yaml
 FROM cgr.dev/chainguard/wolfi-base
 LABEL maintainer="cncf-falco-dev@lists.cncf.io"
 LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro --name NAME IMAGE"
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 RUN apk update && apk add libelf libstdc++
 ENV HOST_ROOT /host
 ENV HOME /root
 USER root
 COPY --from=builder /falco /
 CMD ["/usr/bin/falco", "-o", "time_format_iso_8601=true"]